AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company has a custom application with embedded credentials that retrieves information from an Amazon RDS MySQL DB instance. Management says the application must be made more secure with the least amount of programming effort.

What should a solutions architect do to meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use AWS Key Management Service (AWS KMS) to create keys. Configure the application to load the database credentials from AWS KMS. Enable automatic key rotation.

Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Secrets Manager. Configure the application to load the database credentials from Secrets Manager. Create an AWS Lambda function that rotates the credentials in Secret Manager.

Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Secrets Manager. Configure the application to load the database credentials from Secrets Manager. Set up a credentials rotation schedule for the application user in the RDS for MySQL database using Secrets Manager.

Create credentials on the RDS for MySQL database for the application user and store the credentials in AWS Systems Manager Parameter Store. Configure the application to load the database credentials from Parameter Store. Set up a credentials rotation schedule for the application user in the RDS for MySQL database using Parameter Store.

Explanation:

Explanation

Correct Answer: C

Why Option C is correct:

AWS Secrets Manager is specifically designed for storing and rotating database credentials securely.
Least programming effort - Secrets Manager has built-in integration with RDS for MySQL for automatic credential rotation, eliminating the need to write custom Lambda functions.
Secure credential management - The credentials are removed from the application code and stored securely in Secrets Manager.
Automatic rotation - Secrets Manager can automatically rotate RDS MySQL credentials on a schedule, enhancing security.

Why other options are incorrect:

Option A: AWS KMS is for encryption keys, not for storing and rotating database credentials. While KMS can encrypt data, it doesn't provide the built-in credential rotation capabilities that Secrets Manager offers for RDS databases.

Option B: While this uses Secrets Manager correctly, creating a custom Lambda function for rotation adds unnecessary programming effort. Secrets Manager has native RDS credential rotation capabilities that don't require custom Lambda functions.

Option D: AWS Systems Manager Parameter Store is good for storing configuration data and secrets, but it doesn't have built-in credential rotation capabilities for RDS databases like Secrets Manager does. You would need to implement custom rotation logic.

Key AWS Services:

AWS Secrets Manager: Secure storage and automatic rotation of database credentials
Amazon RDS: Managed relational database service
Least programming effort: Using native AWS services with built-in capabilities minimizes custom code

Security Best Practice: Removing hardcoded credentials from application code and using a secure secrets management service with automatic rotation significantly improves security posture.

Powered ByGPT-5.2

Comments

Loading comments...